Cybercrime Is Escalating from Bank Heists to Market Manipulation
Modern-day bank robbers are after more than just the cash that sits inside a digital vault. Cyber-crime cartels have realized that the most significant asset is nonpublic market information that can be used to fuel economic espionage.
An Escalation to Economic Espionage
If data is the new oil of the digital economy, then nonpublic market information is the new currency of the dark web. Two out of three financial institutions experienced attacks that targeted market strategies in the past year. Cyber-crime cartels want to get their hands on confidential information that can affect the share price of a company as soon as it becomes public, such as earnings estimates, public offerings, and significant transactions.
Additionally, they are seeking the long-term market strategies of major financial institutions to facilitate front-running. Front-running is the illegal practice of purchasing a security based on advance nonpublic information regarding an expected large transaction. We are experiencing an evolution from bank heist to market manipulation.
In a sector that is entirely dependent on the accuracy of the clock, Chronos attacks are also surging. In the last year, 67% of financial institutions observed the manipulation of time stamps. Nearly half of Chronos attacks targeted market positions—a concerning development considering how critical of a role the clock plays in the markets.
Clock synchronization and precise time stamps are essential to fair and transparent financial markets, and therefore to protecting investors. That is, until cyber-criminals make themselves the timekeepers. Financial institutions need to keep a close eye on the clock and ensure that security teams are prepared to protect the integrity of time.
Banks Are Paying Ransom
Ransomware returned with a vengeance last year, and the financial sector was in the cross-hairs. Ransomware attacks affected 74% of financial security leaders, representing nearly 3 in 4 financial institutions, in the past year. What’s shocking is that the majority (63%) of those victims paid the ransom.
Discussing top concerns for the year, the CISO of a global financial institution said, “Ransomware tops the list for us, having paid out a steep sum last year.” One cyber-crime cartel continued to come up in my conversations with security leaders: Conti. The Conti ransomware family, which VMware discovered in July 2020, is one of the most prevalent threat actors targeting the financial sector.
Its ransomware-as-a-service model allows affiliate cyber-criminals to leverage Conti’s ready made ransomware kits to compromise a network, encrypt sensitive files, and demand (plus apparently receive) ransom from financial institutions.
Chainalysis noted that the Conti ransomware gang earned more than $180 million last year. In a six-month span last year, the Financial Crimes Enforcement Network said it identified approximately $5.2 billion in outgoing bitcoin transactions potentially tied to ransomware payments.
Global law enforcement agencies have taken significant actions aimed at curbing ransomware, including mitigating the money laundering associated with cyber-crime, treating ransomware attacks on critical infrastructure as a national security issue, and banning ransomware payments as they represent modern-day terror financing.
Under new reporting requirements, financial institutions must notify the Cybersecurity and Infrastructure Security Agency within 24 hours if they have been impacted. The financial sector plays a critical role in protecting our global financial system from ransomware through quick and complete reporting of suspicious transactions.
Defending Against Destruction
With Russia’s invasion of Ukraine and resulting economic sanctions as the backdrop to this year’s report, the majority of financial leaders I spoke to stated that Russia posed the greatest concern to their institution. Financial institutions are operating under the assumption that they will be impacted by destructive cyber-attacks, either directly or indirectly, and adversary behavior will be punitive. Since Jan. 13 of this year, Russian cybermilitias have launched eight new destructive attack campaigns, with the most recent being RuRansom.
As geopolitical tension continues to play out in cyberspace, 63% of financial institutions experienced a surge in destructive attacks. Cyber-criminals who target the financial sector often escalate from heist to destruction in order to burn evidence as part of their counter incident response.
Destructive attacks, like the HermeticWiper malware that hit Ukraine earlier this year, are launched punitively to destroy, disrupt, or degrade victim systems by taking actions such as encrypting files, deleting data, destroying hard drives, terminating connections, or executing malicious code.
Ensuring the heist does not escalate to a digital hostage situation is imperative. Security leaders, particularly those in the financial sector, know that a strong defense is the best offense. Security teams should adopt modern threat hunting on a weekly basis as a best practice. The Financial Services Information Sharing and Analysis Center has a superior model for threat intelligence sharing.
As financial institutions work to mitigate and respond to modern cyber threats, collaboration within the financial sector and with law enforcement is critical to ensure that the public maintains their trust and confidence in the safety of financial institutions and the global financial market.